You can't redirect with a 401 status header, 4** codes are not made for redirection, instead use a 3** header. Moreover in your case would be more appropriate send a non authorized header and then redirect with JavaScript.